Hi all,
I'm having trouble getting the x2go client to authenticate with
passwordless login options other than kerberos. Specifically, I've
tried auto login (via SSH agent) and supplying the path to my OpenSSH
private key (which is an ECDSA key).
Kerberos works for me as long (as I have a valid ticket), but I want
to connect using the the ECDSA key, for reasons I'll explain below.
I suspect that the ECDSA format key is not supported by my current
client version, but if someone could confirm (or deny) that, I would
appreciate it; and if it's possible that it might work with a more up
to date client build / build against an updated LibSSH or something,
that would be good to know too. I don't currently have the wherewithal
to build my own copy of the client for MacOS, but that might provide
some incentive for me to try sometime soon.
Some background: I'm using x2go at work to connect from my Macbook Pro
to a Linux server. To connect using Kerberos, I need a valid ticket,
and to get a valid ticket, I need to first connect to the corporate
VPN. However, I don't need to connect to the VPN in order to use SSH
(from a terminal), thanks to a proxy software (a ProxyCommand in my
~/.ssh/config).
If I already have a valid Kerberos ticket, the X2go client will
connect using Kerberos, without VPN (that is, the ProxyCommand seems
to work). However, I don't want to have to connect to the VPN just to
renew my kerberos ticket when ssh itself will work using the ECDSA key
I obtain. (It will also work using my password, but that is a
temporary measure... my employer is phasing out password-based ssh in
favor of requiring U2F).
To be clear, the proxy command doesn't seem to be the issue; I
encounter the same problem when I'm connected to the VPN.
I've attached two files (with usernames and hostnames substituted),
one the output of ssh -vvv (succes) and the other the output from
/Applications/x2goclient.app/Contents/MacOS/x2goclient --debug
(failed). Both were run while connected to the VPN. The x2go session
was set up with "Try auto login" checked, Kerberos 5 unchecked, and
"Use RSA/DSA key" left blank (the log also shows that the contents of
my ssh agent were valid in the terminal). Trying after supplying a
path to my ~/.ssh/id_ecdsa file under "Use RSA/DSA key" has the same
result.
myusername [601] $ ssh -vvv -i ~/.ssh/id_ecdsa remote-host.domain
OpenSSH_9.0p1, LibreSSL 3.3.6
debug1: Reading configuration data /Users/myusername/.ssh/config
debug2: checking match for 'all' host remote-host.domain originally
remote-host.domain
debug2: match found
debug1: /Users/myusername/.ssh/config line 42: Applying options for *
debug1: /Users/myusername/.ssh/config line 56: Applying options for
remote-host.domain
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/* matched no
files
debug1: /etc/ssh/ssh_config line 54: Applying options for *
debug1: /etc/ssh/ssh_config line 58: Applying options for *
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' ->
'/Users/myusername/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' ->
'/Users/myusername/.ssh/known_hosts2'
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: Connecting to remote-host.domain port 22.
debug1: Connection established.
debug1: identity file /Users/myusername/.ssh/id_ecdsa type 2
debug1: identity file /Users/myusername/.ssh/id_ecdsa-cert type 6
debug1: identity file /Users/myusername/.ssh/id_rsa type -1
debug1: identity file /Users/myusername/.ssh/id_rsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.0
debug1: Remote protocol version 2.0, remote software version
OpenSSH_7.4p1-RHEL7-7.4p1-22 mdy1.0
debug1: compat_banner: match: OpenSSH_7.4p1-RHEL7-7.4p1-22 mdy1.0 pat
OpenSSH_7.4* compat 0x04000006
debug3: fd 5 is O_NONBLOCK
debug1: Authenticating to remote-host.domain:22 as 'myusername'
debug3: record_hostkey: found key type RSA in file
/Users/myusername/.ssh/known_hosts:150
debug3: load_hostkeys_file: loaded 1 keys from remote-host.domain
debug1: load_hostkeys: fopen /Users/myusername/.ssh/known_hosts2: No such file
or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or
directory
debug3: order_hostkeyalgs: prefer hostkeyalgs:
rsa-sha2-512-cert-...@openssh.com,rsa-sha2-256-cert-...@openssh.com,rsa-sha2-512,rsa-sha2-256
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms:
sntrup761x25519-sha...@openssh.com,curve25519-sha256,curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
debug2: host key algorithms:
rsa-sha2-512-cert-...@openssh.com,rsa-sha2-256-cert-...@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-ed25519-cert-...@openssh.com,ecdsa-sha2-nistp256-cert-...@openssh.com,ecdsa-sha2-nistp384-cert-...@openssh.com,ecdsa-sha2-nistp521-cert-...@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug2: ciphers ctos:
chacha20-poly1...@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-...@openssh.com,aes256-...@openssh.com
debug2: ciphers stoc:
chacha20-poly1...@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-...@openssh.com,aes256-...@openssh.com
debug2: MACs ctos:
umac-64-...@openssh.com,umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-sha1-...@openssh.com,umac...@openssh.com,umac-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc:
umac-64-...@openssh.com,umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-sha1-...@openssh.com,umac...@openssh.com,umac-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,z...@openssh.com,zlib
debug2: compression stoc: none,z...@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms:
curve25519-sha256,curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256
debug2: ciphers ctos:
chacha20-poly1...@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-...@openssh.com,aes256-...@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,cast128-cbc,3des-cbc
debug2: ciphers stoc:
chacha20-poly1...@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-...@openssh.com,aes256-...@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,cast128-cbc,3des-cbc
debug2: MACs ctos:
umac-64-...@openssh.com,umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-sha1-...@openssh.com,umac...@openssh.com,umac-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc:
umac-64-...@openssh.com,umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-sha1-...@openssh.com,umac...@openssh.com,umac-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,z...@openssh.com
debug2: compression stoc: none,z...@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: rsa-sha2-512
debug1: kex: server->client cipher: chacha20-poly1...@openssh.com MAC:
<implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1...@openssh.com MAC:
<implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-rsa
SHA256:7dBI8crgIPq/oDEw8mgTS55DfR9PJonyfK2OfEyav9M
debug3: record_hostkey: found key type RSA in file
/Users/myusername/.ssh/known_hosts:150
debug3: load_hostkeys_file: loaded 1 keys from remote-host.domain
debug1: load_hostkeys: fopen /Users/myusername/.ssh/known_hosts2: No such file
or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or
directory
debug1: Host 'remote-host.domain' is known and matches the RSA host key.
debug1: Found key in /Users/myusername/.ssh/known_hosts:150
debug3: send packet: type 21
debug2: ssh_set_newkeys: mode 1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: ssh_set_newkeys: mode 0
debug1: rekey in after 134217728 blocks
debug1: get_agent_identities: bound agent to hostkey
debug1: get_agent_identities: agent returned 2 keys
debug1: Will attempt key: /Users/myusername/.ssh/id_ecdsa ECDSA
SHA256:hUU4toSfGtbppiW5itSduzWBpfVXi48SXqBwr9pgA9U explicit agent
debug1: Will attempt key: /Users/myusername/.ssh/id_ecdsa ECDSA-CERT
SHA256:hUU4toSfGtbppiW5itSduzWBpfVXi48SXqBwr9pgA9U explicit agent
debug1: Will attempt key: /Users/myusername/.ssh/id_rsa explicit
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug3: start over, passed a different list
publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /Users/myusername/.ssh/id_ecdsa ECDSA
SHA256:hUU4toSfGtbppiW5itSduzWBpfVXi48SXqBwr9pgA9U explicit agent
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Offering public key: /Users/myusername/.ssh/id_ecdsa ECDSA-CERT
SHA256:hUU4toSfGtbppiW5itSduzWBpfVXi48SXqBwr9pgA9U explicit agent
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: /Users/myusername/.ssh/id_ecdsa ECDSA-CERT
SHA256:hUU4toSfGtbppiW5itSduzWBpfVXi48SXqBwr9pgA9U explicit agent
debug3: sign_and_send_pubkey: using publickey with ECDSA-CERT
SHA256:hUU4toSfGtbppiW5itSduzWBpfVXi48SXqBwr9pgA9U
debug2: sign_and_send_pubkey: using private key
"/Users/myusername/.ssh/id_ecdsa" from agent for certificate
debug3: sign_and_send_pubkey: signing using
ecdsa-sha2-nistp256-cert-...@openssh.com
SHA256:hUU4toSfGtbppiW5itSduzWBpfVXi48SXqBwr9pgA9U
debug3: send packet: type 50
debug3: receive packet: type 52
Authenticated to remote-host.domain ([10.189.205.82]:22) using "publickey".
myusername [599] $ ssh-add -l
256 SHA256:hUU4toSfGtbppiW5itSduzWBpfVXi48SXqBwr9pgA9U
myusername@my-local-host.local-domain (ECDSA)
256 SHA256:hUU4toSfGtbppiW5itSduzWBpfVXi48SXqBwr9pgA9U
myusername@my-local-host.local-domain (ECDSA-CERT)
myusername [600] $ /Applications/x2goclient.app/Contents/MacOS/x2goclient
--debug
x2go-INFO-1> "Starting X2Go Client 4.1.2.2..."
x2go-WARNING-1> English language requested, not loading translator.
x2go-WARNING-1> English language requested, not loading translator.
x2go-DEBUG-../src/onmainwindow.cpp:1246> Removing apps from tray
x2go-DEBUG-../src/onmainwindow.cpp:1214> Plugging apps in tray.
x2go-INFO-3> "Started X2Go Client."
x2go-DEBUG-../src/onmainwindow.cpp:575> "$HOME=/Users/myusername"
x2go-DEBUG-../src/onmainwindow.cpp:2266> Reading 3 sessions from config file.
x2go-DEBUG-../src/sessionbutton.cpp:361> Creating QPixmap with session icon:
":/img/icons/128x128/x2gosession.png".
x2go-DEBUG-../src/sessionbutton.cpp:361> Creating QPixmap with session icon:
":/img/icons/128x128/x2gosession.png".
x2go-DEBUG-../src/sessionbutton.cpp:361> Creating QPixmap with session icon:
":/img/icons/128x128/x2gosession.png".
x2go-DEBUG-../src/onmainwindow.cpp:13290> libssh not initialized yet.
Initializing.
x2go-DEBUG-../src/onmainwindow.cpp:7110> Not starting PulseAudio
Object::connect: No such slot SessionWidget::slot_emitSettings()
Object::connect: No such slot SessionWidget::slot_emitSettings()
2023-07-26 10:19:38.659 x2goclient[1687:31716419] modalSession has been exited
prematurely - check for a reentrant call to endModalSession:
x2go-DEBUG-../src/onmainwindow.cpp:2752> Creating QPixmap with session icon:
'":/img/icons/128x128/x2gosession.png"'.
x2go-DEBUG-../src/onmainwindow.cpp:6771> Setting focus.
x2go-DEBUG-../src/onmainwindow.cpp:2819> Starting session via Smart Card, SSH
Agent or Kerberos token.
x2go-DEBUG-../src/onmainwindow.cpp:1246> Removing apps from tray
x2go-INFO-8> "Starting connection to server: remote-host.domain:22"
x2go-DEBUG-../src/onmainwindow.cpp:2853> Starting new ssh connection to
server:"remote-host.domain":"22" krbLogin: false
x2go-DEBUG-../src/sshmasterconnection.cpp:168> SshMasterConnection, host
"remote-host.domain"; port 22; user "myusername"; useproxy false; proxyserver
""; proxyport 22
x2go-DEBUG-../src/sshmasterconnection.cpp:248> Starting SSH connection without
Kerberos authentication.
x2go-DEBUG-../src/sshmasterconnection.cpp:250> SshMasterConnection, instance
SshMasterConnection(0x7f94e5077b50) created.
x2go-DEBUG-../src/sshmasterconnection.cpp:495> SshMasterConnection, instance
SshMasterConnection(0x7f94e5077b50) entering thread.
x2go-DEBUG-../src/sshmasterconnection.cpp:797> Session port before config file
parse: 22
x2go-DEBUG-../src/sshmasterconnection.cpp:807> Session port after config file
parse: 22
x2go-DEBUG-../src/sshmasterconnection.cpp:870> Session port before config file
parse (part 2): 22
x2go-DEBUG-../src/sshmasterconnection.cpp:880> Session port after config file
parse (part 2): 22
x2go-DEBUG-../src/sshmasterconnection.cpp:904> cserverAuth
x2go-DEBUG-../src/sshmasterconnection.cpp:943> state: 1
x2go-DEBUG-../src/sshmasterconnection.cpp:1307> userAuthAuto failed:"Access
denied for 'publickey'. Authentication that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive" (code 1)
x2go-DEBUG-../src/sshmasterconnection.cpp:1207> Challenge authentication
requested.
x2go-DEBUG-../src/sshmasterconnection.cpp:1213> Challenge authentication failed.
x2go-DEBUG-../src/sshmasterconnection.cpp:1218> Trying password mechanism if
available.
x2go-DEBUG-../src/sshmasterconnection.cpp:1222> Password mechanism available.
Continuing.
2023-07-26 10:20:00.513 x2goclient[1687:31716419] modalSession has been exited
prematurely - check for a reentrant call to endModalSession:
x2go-DEBUG-../src/sshmasterconnection.cpp:1251> Password authentication failed:
"Access denied for 'password'. Authentication that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive"
x2go-DEBUG-../src/sshmasterconnection.cpp:1262> Password authentication not
available: "Access denied for 'password'. Authentication that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive"
x2go-DEBUG-../src/sshmasterconnection.cpp:736> "Authentication failed." -
"Access denied for 'password'. Authentication that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive"
x2go-DEBUG-../src/sshmasterconnection.cpp:764> SshMasterConnection, instance
SshMasterConnection(0x7f94e5077b50) waiting for thread to finish.
x2go-DEBUG-../src/sshmasterconnection.cpp:766> SshMasterConnection, instance
SshMasterConnection(0x7f94e5077b50) thread finished.
x2go-DEBUG-../src/sshmasterconnection.cpp:771> SshMasterConnection, instance
SshMasterConnection(0x7f94e5077b50) finished destructor.
2023-07-26 10:20:04.192 x2goclient[1687:31716419] modalSession has been exited
prematurely - check for a reentrant call to endModalSession:
x2go-DEBUG-../src/onmainwindow.cpp:6771> Setting focus.
_______________________________________________
x2go-user mailing list
x2go-user@lists.x2go.org
https://lists.x2go.org/listinfo/x2go-user
